1. Field of the Invention
The present invention relates to an authentication-ticket processing apparatus that can speed up the acquisition of user information.
2. Description of the Related Art
Authentication tickets may be used in order for a server on a network to provide prompt, safe services.
There are various specifications for authentication tickets depending on their usage. One of such specifications relates to an authentication ticket referred to as a “self-contained ticket”, which returns user information at the time of decoding process.
FIG. 1 is a drawing showing the flow of related-art processes from an authentication request to the acquisition of an authentication ticket. Prior to the receiving of services from a service server 2, a client 1 issues an authentication request to a user authentication apparatus (UAUD: User Authentication by User Directory) 3 (step S1). The user authentication apparatus 3 checks user information with a user management database 4 (step S2). Upon confirmation, the user authentication apparatus 3 only obtains user ID information from the user management database 4 (step S3). The user authentication apparatus 3 then generates an authentication ticket based on the user ID information (step S4), and supplies the authentication ticket to the client 1 (step S5).
FIG. 2 is a drawing showing the flow of related-art processes from a service request to the start of a service. The client 1 issues a service request together with the authentication ticket to the service server 2 (step S11). In response, the service server 2 issues a decoding request to the user authentication apparatus 3 to decode the authentication ticket (step S12). The user authentication apparatus 3 acquires user information (inclusive of information other than the user ID information) from the user management database 4 (steps S13, S14), and, then, supplies the user information to the service server 2 (step S15). Based on the supplied user information, the service server 2 makes a decision about the access right regarding the relevant service so as to start providing the service (step S16).
Patent Document 1 discloses an image forming apparatus, an accumulated document management method, and an accumulated document processing system that can share an authentication function regarding accumulated documents, and that can supply accumulated documents without squandering the resources of the network and the resources of the multifunction machine.
[Patent Document 1] Japanese Patent Application Publication No. 2004-135291
In the configuration of FIG. 2, the service server 2 issues a decoding request to the user authentication apparatus 3 each time it receives a new service request together with an authentication ticket even if the authentication ticket is the same as one that was previously received, and the user authentication apparatus 3 acquires user information from the user management database 4 accordingly. Such arrangement is made because, in the case of a self-contained ticket, the registration status of the user may change over a long time period during which the authentication ticket is kept in possession, resulting in a situation in which the user information at the time of a decoding process may end up differing from the user information as existed at the time of authentication. When a document is to be delivered or printed in a workflow, for example, the user may encounter a wait state at the start of operation. The time at which the function will exit from the waiting state to become operational is unknown. Because of this, an authentication ticket that is to be used after the resumption should be valid for a sufficiently long time period. There may be situations, however, in which the user information as existed at the time of authentication is different from the current user information when the function becomes available, due to assignment to another post in the organization, leave of absence, requirement from the company, or the like. For this reason, provision is made to acquire user information from the user management database 4 at the time of decoding the authentication ticket to obtain the user information.
Since the related-art system is based on such arrangement as described above, if a plurality of services at the service server 2 use the same authentication ticket simultaneously, multiple decoding requests are issued to the user authentication apparatus 3 in a short interval (e.g., at an interval of few seconds). As a result, access to the database of the user management database 4 to obtain the same user information is performed multiple times in a short interval. FIG. 3 is a drawing showing the way in which authentication ticket decoding requests are frequently issued in the related-art arrangement. Multiple decoding requests are consecutively issued at short intervals from the service server 2 to the user authentication apparatus 3 (step S22). In response, the acquisition of user information from the user management database 4 is performed consecutively by the user authentication apparatus 3 (step S23).
In the related-art system as described above, when multiple decoding requests in respect of the same self-contained ticket are issued at short intervals, access to the database of the user management database 4 to obtain the same user information is performed multiple times accordingly, resulting in a performance drop.
This problem may have to be accepted as a compromise because it occurs due to the intended specification of the self-contained ticket. However, a change in user information that is supposed to be taken care of by such specification does not occur frequently. Treating such special case at the expense of performance may be considered as an action that lacks a sense of balance. Namely, user information regarding users using a document management system or the like is not frequently modified. If modified, such modification mainly occurs when there is an organizational change such as staff reassignment, and the frequency of such change may be few times a year to few times a month at the maximum. Accessing the database each time a decoding request is made in order to avoid trouble at such few occasions may be an overreaction.
Accordingly, there is a need for an authentication-ticket processing apparatus that can overcome the performance problem associated with the self-contained ticket, and that can speed up the acquisition of user information.